What Stryker’s Cyberattack Teaches Every Business Owner

On March 11, 2026, Stryker confirmed that a cyberattack had disrupted its global Microsoft environment. (Source) Stryker is a medical technology company with $25 billion in annual revenue. Its products are used in the care of over 150 million patients each year. The group behind the attack, an Iran-linked outfit called Handala, framed it as retaliation for the U.S. airstrike on the Minab school in Tehran. Stryker filed an 8-K with the SEC stating there was no ransomware involved and that the incident appeared contained.

That last sentence is where a lot of business owners stop reading. No ransomware. Contained. They exhale and move on.

Don’t do that.

The most important part of this story isn’t what happened to Stryker. It’s what it tells us about how attacks are evolving. And what it means if your business runs on Microsoft 365, Azure, or Exchange. Which most businesses in Florida do.

Here’s the detail that should keep you up at night: the attackers didn’t exploit some exotic vulnerability. They compromised Stryker’s Microsoft Intune admin console, the same mobile device management tool thousands of businesses use to secure their laptops and phones. Then they used its built-in remote-wipe function to factory-reset over 200,000 devices across 79 countries. The security tool became the weapon.

The timing made it worse. Stryker was in Las Vegas that same week, launching its new SmartHospital Platform at the HIMSS conference, showcasing the hospital of the future while its own systems were being erased.

“No ransomware” doesn’t mean no damage

Ransomware has dominated cybersecurity headlines for years. Files locked. Ransom demanded. Pay or lose everything. It’s concrete, visible, and financially measurable. That’s why it gets the coverage.

But security researchers have tracked a quieter category for decades: destructive wiper malware. It’s gaining ground in conflict-driven cyberattacks. The goal isn’t extortion. It’s erasure. Iran has deployed it before: against Saudi Aramco in 2012 (the Shamoon wiper destroyed 35,000 computers) and Las Vegas Sands Corp. in 2014 (costing $40 million to recover). No ransom ask. No path to recovery. Just destruction.

When an attack doesn’t involve ransomware, it doesn’t mean nothing bad happened. Sometimes it means something worse happened. There was nothing to negotiate.

Stryker’s attack wiped devices globally. Email down. Collaboration tools down. Internal systems and workflows stalled. Handala also claims to have exfiltrated 50 terabytes of data before triggering the wipe. For a medical device company, that’s not just an IT problem. It touches supply chains, hospital relationships, and patient care.

For a Florida SMB, the scale is different. The consequences are not.

Why Microsoft environments are the target

Microsoft 365 is the backbone of most modern businesses. Email, file storage, Teams, calendar, identity management. All of it lives in one interconnected ecosystem. That’s its strength. It’s also why attackers target it.

A compromised Microsoft environment doesn’t just mean lost emails. It means attackers potentially have access to your identity layer (Microsoft Entra ID, formerly Azure Active Directory), your shared files (SharePoint, OneDrive), your internal communications (Teams), your device management console (Intune), and depending on your setup, your line-of-business applications.

Nation-state actors know this. The IRGC-linked Tasnim News Agency published a list of U.S. technology targets in the Middle East that included Amazon, Microsoft, Google, Oracle, Nvidia, IBM, and Palantir. Iran had already physically struck three AWS data centers in Bahrain and the UAE before publishing that list. These aren’t opportunistic attacks. They’re deliberate choices based on where the most damage can be done with the least effort.

Your business is a secondary target — until it isn’t. In the current environment, being adjacent to the right industry, using the right software, or simply being the least-hardened Microsoft tenant in a region can move you up the list.

The real lesson from this attack

Here’s what Stryker’s incident tells us about the current threat environment:

• Geopolitical conflict now has a digital front lines. Companies are on it. Handala is assessed by Microsoft, Check Point, and IBM X-Force as an arm of Iran’s Ministry of Intelligence and Security.
• Attackers are targeting Microsoft environments, not because of a Microsoft vulnerability, but because that’s where your business lives.
• Your security tools can be turned against you. The Intune attack used a built-in admin feature. Any organization with a compromised MDM admin account faces the same risk.
• “Contained” is a relative term. Stryker has a full security team. Most SMBs don’t have the visibility to know what “contained” even means.
• The attack came with no ransomware and no clear financial motive. That means no negotiation, no recovery path, and no one to call to get your data back.

The businesses that fare best in these situations aren’t the ones with the biggest IT budgets. They’re the ones that know their environment well enough to spot something wrong, and have a team that can respond in hours, not days.

6 things to verify in your Microsoft environment today

You don’t need a full security audit to take meaningful action right now. Start here:

Your security posture should match the threat

Stryker will recover. They have the resources and the team. What we don’t know yet is whether this attack will wake up the businesses that operate on the same platforms, in the same sectors, with a fraction of the security investment.

Florida businesses in healthcare, construction, professional services, and hospitality are not invisible to the groups behind these attacks. They’re just lower on the list. The question is how long that stays true, and whether your current IT setup would hold up if it changed.

If you’re not sure, that’s the answer.